Configuring Authentication For Exchange ActiveSync

Authentication is the process by which a client and a server verify their identities for transmitting data. In Microsoft Exchange Server 2007, authentication is used to determine whether a user or client that wants to communicate with the Exchange server is who or what it says it is. You can use authentication to verify that a device belongs to a particular individual or that a particular individual is trying to log on to Microsoft Office Outlook Web Access.

When you install Exchange 2007 and the Client Access server role, virtual directories are configured for several services. These include Outlook Web Access, the Availability service, Unified Messaging, and Microsoft Exchange ActiveSync. By default, each virtual directory is configured to use an authentication method. For Exchange ActiveSync, the virtual directory is configured to use Basic authentication and Secure Sockets Layer (SSL). You can change the authentication method for your Exchange ActiveSync server by changing the authentication method on the Exchange ActiveSync virtual directory.

This topic provides an overview of the authentication methods that are available for your Exchange ActiveSync server. For Exchange ActiveSync, the client is the physical device that is used to synchronize with the Exchange 2007 server.

There are three primary types of authentication you can choose for Exchange ActiveSync: Basic authentication, certificate-based authentication, and token-based authentication. When you install the Client Access server role on a computer that is running Exchange 2007, Exchange ActiveSync is configured to use Basic authentication with Secure Sockets Layer (SSL). To establish the SSL connection, certificate-based authentication requires the mobile device to have a valid client certificate that was created for user authentication installed. In addition, the mobile device must have a copy of the trusted root certificate from the server. If you choose token-based authentication, you will have to work with the token vendor for configuration.

Basic authentication is the simplest method of authentication. With Basic authentication, the server requests that the client submit a user name and a password. That user name and password are sent in clear text over the Internet to the server. The server verifies that the supplied user name and password are valid and grants access to the client. By default, this kind of authentication is enabled for Exchange ActiveSync. However, we recommend that you disable Basic authentication unless you are also deploying Secure Sockets Layer (SSL). When you are using Basic authentication over SSL, the user name and password are still sent in plain text, but the communication channel is encrypted.

Certificate-based authentication uses a digital certificate to verify an identity. Certificate-based authentication provides other credentials, in addition to the user name and password, which prove the identity of the user who is trying to access the mailbox resources that are stored on the Exchange 2007 server. A digital certificate consists of two components: the private key that is stored on the device and the public key that is installed on the server. If you configure Exchange 2007 to require certificate-based authentication for Exchange ActiveSync, only devices that meet the following criteria can synchronize with Exchange 2007:

The device has a valid client certificate installed that was created for user authentication.

The device has a trusted root certificate for the server to which they are connecting to establish the SSL connection.

Deploying certificate-based authentication prevents users who have only a user name and password from synchronizing with Exchange 2007. As an additional level of security, the client certificate for authentication can be installed only when the device is connected to a domain-joined computer through either Desktop ActiveSync 4.5 or a later version in Microsoft Windows XP or the Windows Mobile Device Center in Microsoft Windows Vista.

A token-based authentication system is a two-factor authentication system. Two-factor authentication is based on a piece of information the user knows, such as their password, and an external device that is usually in the form of a credit card or a key fob that a user can carry with them. Each device has a unique serial number. In addition to hardware tokens, some vendors offer software-based tokens that can run on mobile devices.

Tokens work by displaying a unique number, typically six digits long, that changes every 60 seconds. When a token is issued to a user, it is synchronized with the server software. To authenticate, the user enters their user name, password, and the number that is currently displayed on the token. Some token-based authentication systems also require the user to enter a PIN.

Token-based authentication is a strong form of authentication. The disadvantage to token-based authentication is that you must install authentication server software and deploy the authentication software on every user's computer or mobile device. There is also the risk that the user can lose the external device. This can be financially costly because of the need to replace lost external devices. However, the device is useless to a third party without the original user's authentication information.

There are several companies that issue token-based authentication systems. One company is RSA. Their product, SecurID, comes in a variety of forms, including a key fob and a credit card. A one-time authentication code is issued through the token. Each authentication code is valid for 60 seconds. Most tokens also have an expiration indicator on the device, for example, a series of dots that disappear as the length of time that the code has left decreases. This helps prevent a user from entering the correct code, only to have it expire before the authentication process is complete. After authentication has finished, the user does not have to authenticate with a new code unless they are logged off, either by choice or because the device times out because of inactivity. For more information about how to configure a token-based authentication system, see the documentation for the particular system.